authorize.conf

The following are the spec and example files for authorize.conf.

authorize.conf.spec

# Version 7.0.3
#
# This file contains possible attribute/value pairs for creating roles in
# authorize.conf. You can configure roles and granular access controls by
# creating your own authorize.conf.
# There is an authorize.conf in $SPLUNK_HOME/etc/system/default/. To set
# custom configurations, place an authorize.conf in
# $SPLUNK_HOME/etc/system/local/. For examples, see authorize.conf.example.
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

GLOBAL SETTINGS

# Use the [default] stanza to define any global settings.
# * You can also define global settings outside of any stanza, at the top
# of the file.
# * Each conf file should have at most one default stanza. If there are
# multiple default stanzas, attributes are combined. In the case of
# multiple definitions of the same attribute, the last definition in
# the file wins.
# * If an attribute is defined at both the global level and in a specific
# stanza, the value in the specific stanza takes precedence.

[default]

srchFilterSelecting = <boolean>
* Determines whether a role's search filters will be used for selecting or
eliminating during role inheritance.
* Selecting will join the search filters with an OR when combining the
filters.
* Eliminating will join the search filters with an AND when combining the
filters.
* All roles will default to true (in other words, selecting).
* Example:
* role1 srchFilter = sourcetype!=ex1 with selecting=true
* role2 srchFilter = sourcetype=ex2 with selecting = false
* role3 srchFilter = sourcetype!=ex3 AND index=main with selecting = true
* role3 inherits from role2 and role 2 inherits from role1
* Resulting srchFilter = ((sourcetype!=ex1) OR (sourcetype!=ex3 AND index=main)) AND ((sourcetype=ex2))

[capability::<capability>]

* DO NOT edit, remove, or add capability stanzas. The existing capabilities
are the full set of Splunk system capabilities.
* Splunk adds all of its capabilities this way
* For the default list of capabilities and assignments, see authorize.conf
under the 'default' directory
* Only alphanumeric characters and "_" (underscore) are allowed in capability names.
Examples:
edit_visualizations
view_license1
* Descriptions of specific capabilities are listed below.

[role_<roleName>]

<capability> = <enabled>
* A capability that is enabled for this role.
* You can list many of these.
* Note that 'enabled' is the only accepted value here, as capabilities are
disabled by default.
* Roles inherit all capabilities from imported roles, and inherited
capabilities cannot be disabled.
* Role names cannot have uppercase characters. User names, however, are
case-insensitive.
importRoles = <string>
* Semicolon delimited list of other roles and their associated capabilities
that should be imported.
* Importing other roles also imports the other aspects of that role, such as
allowed indexes to search.
* By default a role imports no other roles.
grantableRoles = <string>
* Semicolon delimited list of roles that can be granted when edit_user
capability is present.
* By default, a role with edit_user capability can create/edit a user and
assign any role to them. But when grantableRoles is present, the roles
that can be assigned will be restricted to the ones provided.
* For a role that has no edit_user capability, grantableRoles has no effect.
* Defaults to not present.
* Example: grantableRoles = role1;role2;role3
srchFilter = <string>
* Semicolon delimited list of search filters for this Role.
* By default we perform no search filtering.
* To override any search filters from imported roles, set this to '*', as
the 'admin' role does.
srchTimeWin = <number>
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role
srchDiskQuota = <number>
* Maximum amount of disk space (MB) that can be used by search jobs of a
user that belongs to this role
* In search head clustering environments, this setting takes effect on a per-member basis.
There is no cluster-wide accounting.
* The dispatch manager checks the quota at the dispatch time of a search
and additionally the search process will check at intervals that are defined
in the 'disk_usage_update_period' setting in limits.conf as long as the
search is active.
* The quota can be exceeded at times, since the search process does not check
the quota constantly.
* Exceeding this quota causes the search to be auto-finalized immediately,
even if there are results that have not yet been returned.
* Defaults to '100', for 100 MB.
srchJobsQuota = <number>
* Maximum number of concurrently running historical searches a member of
this role can have.
* This excludes real-time searches, see rtSrchJobsQuota.
* Defaults to 3.
rtSrchJobsQuota = <number>
* Maximum number of concurrently running real-time searches a member of this
role can have.
* Defaults to 6.
srchMaxTime = <number><unit>
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role
* Inherits from other roles, the maximum srchMaxTime value specified in the
included roles.
* This maximum does not apply to real-time searches.
* Examples: 1h, 10m, 2hours, 2h, 2hrs, 100s
* Defaults to 100days
srchIndexesDefault = <string>
* A semicolon-delimited list of indexes to search when no index is specified.
* These indexes can be wild-carded ("*"), with the exception that '*' does not
match internal indexes.
* To match internal indexes, start with '_'. All internal indexes are
represented by '_*'.
* The wildcard character '*' is limited to match either all the non-internal indexes
or all the internal indexes, but not both at once.
* If you make any changes in the "Indexes searched by default" Settings panel
for a role in Splunk Web, those values take precedence, and any wildcards
you specify in this setting are lost.
* Defaults to none.
srchIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to search
* Follows the same wildcarding semantics as srchIndexesDefault
* If you make any changes in the "Indexes" Settings panel
for a role in Splunk Web, those values take precedence, and any wildcards
you specify in this setting are lost.
* Defaults to none.
deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none
cumulativeSrchJobsQuota = <number>
* Maximum number of concurrently running historical searches in total
across all members of this role
* Requires enable_cumulative_quota = true in limits.conf to take effect.
* If a user belongs to multiple roles, the user's searches count against the role with
the largest cumulative search quota. Once the quota for that role is consumed, the
user's searches count against the role with the next largest quota, and so on.
* In search head clustering environments, this setting takes effect on a per-member basis.
There is no cluster-wide accounting.
cumulativeRTSrchJobsQuota = <number>
* Maximum number of concurrently running real-time searches in total
across all members of this role
* Requires enable_cumulative_quota = true in limits.conf to take effect.
* If a user belongs to multiple roles, the user's searches count against the role with
the largest cumulative search quota. Once the quota for that role is consumed, the
user's searches count against the role with the next largest quota, and so on.
* In search head clustering environments, this setting takes effect on a per-member basis.
There is no cluster-wide accounting.
### Descriptions of Splunk system capabilities. Capabilities are added to roles, to which users are then assigned.
When a user is assigned a role, they acquire the capabilities added to that role.

[capability::accelerate_datamodel]

* Lets a user enable or disable datamodel acceleration.

[capability::accelerate_search]

* Lets a user enable or disable acceleration for reports.
* The assigned role must also be granted the schedule_search capability.

[capability::admin_all_objects]

* Lets a user access all objects in the system, such as user
objects and knowledge objects.
* Lets a user bypasses any ACL restrictions, much the way root access in a *nix
environment does.
* Splunk checks this capability when accessing manager pages and objects.

[capability::dispatch_rest_to_indexers]

[capability::edit_deployment_client]

[capability::edit_deployment_server]

* Lets a user edit the deployment server.
* Lets a user edit a deployment server admin endpoint.
* Lets a user change or create remote inputs that are pushed to the forwarders and other deployment clients.

[capability::edit_dist_peer]

* Lets a user add and edit peers for distributed search.

[capability::edit_encryption_key_provider]

* Lets a user view and edit keyprovider properties when using
the Server-Side Encryption (SSE) feature for a remote storage volume.

[capability::edit_forwarders]

* Lets a user edit settings for forwarding data, including settings for SSL, backoff schemes, etc.
* Also used by TCP and Syslog output admin handlers.

[capability::edit_httpauths]

* Lets a user edit and end user sessions through the httpauth-tokens endpoint.

[capability::edit_indexer_cluster]

* Lets a user edit or manage indexer clusters.

[capability::edit_indexerdiscovery]

* Lets a user edit settings for indexer discovery, including settings for master_uri, pass4SymmKey, etc.
* Also used by Indexer Discovery admin handlers.

[capability::edit_input_defaults]

* Lets a user change the default hostname for input data through the server
settings endpoint.

[capability::edit_monitor]

* Lets a user add inputs and edit settings for monitoring files.
* Also used by the standard inputs endpoint as well as the one-shot input
endpoint.

[capability::edit_modinput_perfmon]

[capability::edit_modinput_admon]

[capability::edit_roles]

* Lets a user edit roles.
* Lets a user change the mappings from users to roles.
* Used by both the user and role endpoint.

[capability::edit_roles_grantable]

* Lets the user edit roles and change user-to-role mapings for a limited set of roles.
* To limit this ability, also assign the edit_roles_grantable capability
and configure grantableRoles in authorize.conf. For example:
grantableRoles = role1;role2;role3. This lets user create roles using the
subset of capabilities that the user has in their grantable_roles
configuration.

[capability::list_search_head_clustering]

[capability::list_search_scheduler]

[capability::list_settings]

* Lets a user list general server and introspection settings such as the server
name, log levels, etc.

[capability::list_storage_passwords]

* Lets a user access the /storage/passwords endpoint.
* Lets the user perform GETs.
* The admin_all_objects capability must added to the role in order for the user to
perform POSTs to the /storage/passwords endpoint.

[capability::search]

[capability::search_process_config_refresh]

[capability::use_file_operator]

* Lets a user use the "file" search operator.

[capability::web_debug]

* Lets a user access /_bump and /debug/** web debug endpoints.

authorize.conf.example

# Version 7.0.3
#
# This is an example authorize.conf. Use this file to configure roles and
# capabilities.
#
# To use one or more of these configurations, copy the configuration block
# into authorize.conf in $SPLUNK_HOME/etc/system/local/. You must reload
# auth or restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
[role_ninja]
rtsearch = enabled
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = *
srchIndexesDefault = mail;main
srchJobsQuota = 8
rtSrchJobsQuota = 8
srchDiskQuota = 500
# This creates the role 'ninja', which inherits capabilities from the 'user'
# role. ninja has almost the same capabilities as power, except cannot
# schedule searches.
#
# The search filter limits ninja to searching on host=foo.
#
# ninja is allowed to search all public indexes (those that do not start
# with underscore), and will search the indexes mail and main if no index is
# specified in the search.
#
# ninja is allowed to run 8 search jobs and 8 real time search jobs
# concurrently (these counts are independent).
#
# ninja is allowed to take up 500 megabytes total on disk for all their jobs.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »